hello,
i have a setup which worked without a problem on debian squeeze
(shorewall 4.4.11.6-3) and now don't work any more on debian wheezy
(shorewall 4.5.5.3-3).
the setup inlcudes 2 bridges br0 which briges to eth0 and br1 which
bridges all virtual machines in a virtual lan.
> brctl show
bridge name bridge id STP enabled interfaces
br0 8000.001517ee821c no eth0
br1 8000.fe54365c6402 no vnet0
vnet1
vnet2
if i try to ping/connect the lan machines i get drops.
Shorewall:FORWARD:DROP:IN=br1 OUT=br1 PHYSIN=vnet0 PHYSOUT=vnet2
MAC=52:54:36:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=10.12.10.5
DST=10.12.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=2686 SEQ=187
/etc/shorewall/policy
.....
lan $FW ACCEPT info
lan net ACCEPT info
lan lan ACCEPT info
....
/etc/shorewall/shorewall.conf
....
#this is set to Keep on squeeze and it is working
IP_FORWARDING=Yes
....
/etc/sysctl.conf
....
net.ipv4.ip_forward=1
....
it's quite strange because, as i said before, the same setup works for
me on squeeze (i am deploying with puppet).
if i disable filtering the vmachines can ping each other.
/etc/sysctl.conf
....
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
....
any ideas?
regards
julian
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
